<?php
/**
 * @author Andrew Willmott <andrew.willmott@omni-fi.net>
 * @copyright Copyright (c) 2011, Andrew Willmott
 * @license http://www.opensource.org/licenses/mit-license.php MIT Licence
 * @version 1.0
 *
 * This page includes all the functions for logging into the bank either as an administrator or as a user
 */
require('functions.inc.php');

if (array_key_exists('username', $_POST)){
	//The user has posted something so we can process it
	basicLogin($_POST['username'], $_POST['password']);
}
else if(array_key_exists('logout', $_GET)){
	//The user wants to log out
	logout();
}
else {
	//The user has not posted anything so give them the signup form
	displayLogin($_POST['username'], $_POST['password']);
}

/**
 * This function processes the login.  It should eventual work with a client side hashing function such that 
 * even if the SSL session is intercepted, possibly by a corporate proxy or attacker, the password remains secure.
 * Each time the user logs in the password hash is regenerated preventing replay attacks.  Prior to the development
 * of the JavaScript login box the function basicLogin provides the hashing server side.  
 */
function processLogin($username, $password, $newPassword, $newSalt){
	htmlHeader("Login");
	echo "</head>\n<body>\n";
	
	//Check password
	$dbh = dbUpdateConnection();
	$dbh->beginTransaction();
	$stmt = $dbh->prepare("SELECT user_account_id, user_account_is_admin FROM user_accounts 
				WHERE (user_account_name = :username) AND (user_account_password = :password)");
	$stmt->bindValue(':username', $username, PDO::PARAM_STR);
	$stmt->bindValue(':password', $password, PDO::PARAM_STR);
	$stmt->execute() or die('Not able to process login');
	if ($stmt->rowCount() == 1){
		//The username and password provided were valid
		//Set new password as per user's hash
		$stmt2 = $dbh->prepare("INSERT INTO user_accounts (user_account_name, user_account_password, user_account_salt)
					VALUES (:username, :password, :salt)");
		$stmt2->bindValue(':username', $username, PDO::PARAM_STR);
		$stmt2->bindValue(':password', $newPassword, PDO::PARAM_STR);
		$stmt2->bindValue(':salt', $newSalt, PDO::PARAM_INT);
		$stmt2->execute();
		$result = $stmt->fetch(PDO::FETCH_ASSOC);
		$dbh->commit() or die('Unable to log in');
		$_SESSION['loggedin'] = TRUE;
		$_SESSION['username'] = $username;
		$_SESSION['userid'] = $result['user_account_id'];
		$_SESSION['admin'] = $result['user_account_is_admin'];
		echo "\t<h1>Login Succeded</h1>\n\t<p>You are logged in</p>\n";
	}
	else {
		//The username and password provided were invalid
		echo "\t<h1>Login Failed</h1>\n\t<p>You provided invalid login credentials</p>\n";
	}
	echo "</body>\n</html>";
}

/**
 * This function provides a client side hashing of the password the user provides and generates the new hash
 */
function basicLogin($username, $password){
	
	//Connect to DB to get current hash for the username
	$dbh = dbReadConnection();
	$stmt = $dbh->prepare("SELECT user_account_salt FROM user_accounts WHERE user_account_name = :username");
	$stmt->bindValue(':username', $username, PDO::PARAM_STR);
	$stmt->execute();
	$result = $stmt->fetch(PDO::FETCH_ASSOC);
	$salt = $result['user_account_salt'];
	//Generate current hash
	$hash = hash('sha256', "$password $salt $username");
	//Generate new salt
	$newSalt = mt_rand(0, 2147483640);
	//Generate new password hash
	$newPassword = hash('sha256', "$password $newSalt $username");
	//Continue with the login
	processLogin($username, $hash, $newPassword, $newSalt);
}

/**
 * This function displays the login dialouge box
 */
function displayLogin(){
	htmlHeader("Login");
	echo "</head>\n<body>\n\t<h1>Login</h1>\n\t<p>Please enter your login details below</p>\n";
	echo "\t<form action='login.php' method='POST'>\n";
	echo "\t\t<p>\n\t\tUsername <input type='text' name='username' /><br />\n";
	echo "\t\tPassword <input type='password' name='password' /><br />\n";
	echo "\t\t<input type='submit' value='Login' />\n\t\t</p>\n";
	echo "\t</form>\n</body>\n</html>";
}

/**
 * This function logs a user out
 */
function logout(){
	$_SESSION['loggedin'] = FALSE;
	$_SESSION['admin'] = FALSE;
}
?>